codeslick-cli 1.1.6 → 1.2.0

package/dist/src/lib/analyzers/go/security-checks/concurrency-safety.js

@@ -0,0 +1,321 @@
+"use strict";
+/**
+ * Go Concurrency Safety Security Checks
+ * OWASP A04:2025 - Insecure Design
+ *
+ * Detects concurrency-related vulnerabilities in Go code including race conditions
+ * and goroutine leaks.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkConcurrencySafety = checkConcurrencySafety;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for concurrency safety issues
+ *
+ * Covers:
+ * - Check #1: Race conditions (unsynchronized variable access in concurrent contexts) (HIGH)
+ *   - Map access without mutex protection
+ *   - Slice modifications without synchronization
+ *   - Simple variable operations (counter++, assignments) without mutex/atomic
+ * - Check #2: Goroutine leaks (unclosed channels) (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkConcurrencySafety(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    // First pass: Track goroutines, channels, maps, and slices
+    const fileContent = lines.join('\n');
+    const hasGoroutines = /go\s+\w+\s*\(|go\s+func\s*\(/i.test(fileContent);
+    const hasChannels = /make\s*\(\s*chan\s+/i.test(fileContent);
+    // Track map and slice declarations
+    const mapVars = new Set();
+    const sliceVars = new Set();
+    const channelVars = new Set();
+    const mutexVars = new Set();
+    // First pass: Collect variable declarations
+    lines.forEach((line, index) => {
+        const trimmed = line.trim();
+        // Track map declarations
+        const mapMatch = trimmed.match(/(\w+)\s*(?::=|=)\s*make\s*\(\s*map\s*\[/i);
+        if (mapMatch) {
+            mapVars.add(mapMatch[1]);
+        }
+        // Track slice declarations (var name []type, name := []type, name := make([]type))
+        const sliceMatch = trimmed.match(/(?:var\s+)?(\w+)\s*(?::=|=|\s)\s*(?:make\s*\(\s*)?(\[\])/i);
+        if (sliceMatch && !trimmed.includes('map[')) {
+            sliceVars.add(sliceMatch[1]);
+        }
+        // Track channel declarations
+        const chanMatch = trimmed.match(/(\w+)\s*(?::=|=)\s*make\s*\(\s*chan\s+/i);
+        if (chanMatch) {
+            channelVars.add(chanMatch[1]);
+        }
+        // Track mutex declarations
+        const mutexMatch = trimmed.match(/(\w+)\s+(?:sync\.)?(?:Mutex|RWMutex)/i);
+        if (mutexMatch) {
+            mutexVars.add(mutexMatch[1]);
+        }
+    });
+    // Second pass: Check for unsafe concurrent access
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // Track multi-line comments (/* ... */)
+        if (trimmed.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmed.includes('*/')) {
+            inMultiLineComment = false;
+            return;
+        }
+        // Skip comments and empty lines
+        if (!trimmed || inMultiLineComment || trimmed.startsWith('//')) {
+            return;
+        }
+        // =============================================================================
+        // Check #1: Race Conditions (Unsynchronized Map/Slice Access)
+        // =============================================================================
+        // CVSS 7.0 - HIGH
+        // Detects concurrent access to maps/slices without synchronization
+        if (hasGoroutines) {
+            // Check for map access without mutex protection
+            for (const mapVar of mapVars) {
+                const hasMapAccess = new RegExp(`${mapVar}\\s*\\[|${mapVar}\\s*=`, 'i').test(trimmed);
+                if (hasMapAccess) {
+                    // Look for mutex protection in surrounding ±10 lines
+                    let hasMutexProtection = false;
+                    const startLine = Math.max(0, index - 10);
+                    const endLine = Math.min(lines.length, index + 10);
+                    for (let i = startLine; i < endLine; i++) {
+                        const contextLine = lines[i].trim();
+                        if (/\.Lock\(\)|\.RLock\(\)|\.Unlock\(\)|\.RUnlock\(\)|sync\.Map/i.test(contextLine)) {
+                            hasMutexProtection = true;
+                            break;
+                        }
+                    }
+                    // Also check if goroutine is in the context
+                    let hasGoroutineInContext = false;
+                    for (let i = startLine; i < endLine; i++) {
+                        if (/go\s+func|go\s+\w+\s*\(/i.test(lines[i])) {
+                            hasGoroutineInContext = true;
+                            break;
+                        }
+                    }
+                    if (!hasMutexProtection && hasGoroutineInContext) {
+                        vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                            category: 'go-race-condition',
+                            severity: 'high',
+                            confidence: 'medium',
+                            message: `Potential race condition: Map '${mapVar}' accessed without synchronization in concurrent context`,
+                            line: lineNumber,
+                            suggestion: 'Use sync.Mutex or sync.RWMutex to protect concurrent map access, or use sync.Map',
+                            owasp: 'A04:2025 - Insecure Design',
+                            cwe: 'CWE-362',
+                            pciDss: 'PCI DSS 6.5.6',
+                            remediation: {
+                                explanation: 'Concurrent map access in Go causes runtime panics and data races. Use sync.Mutex/sync.RWMutex for protection, or use sync.Map for concurrent-safe operations.',
+                                before: `// UNSAFE\nvar cache = make(map[string]string)\ngo func() {\n    cache["key"] = "value" // Race condition!\n}()\nvalue := cache["key"]`,
+                                after: `// SAFE\nvar (\n    cache = make(map[string]string)\n    mu    sync.RWMutex\n)\ngo func() {\n    mu.Lock()\n    cache["key"] = "value"\n    mu.Unlock()\n}()\nmu.RLock()\nvalue := cache["key"]\nmu.RUnlock()`
+                            },
+                            attackVector: {
+                                description: 'Race conditions in concurrent map access can cause data corruption, inconsistent state, or runtime panics (fatal errors). Attackers can exploit race conditions to bypass security checks or corrupt application state.',
+                                exploitExample: `// Vulnerable:\nvar sessionCache = make(map[string]*Session)\ngo cleanupExpiredSessions(sessionCache)\n// Attacker triggers concurrent access\nif session, ok := sessionCache[token]; ok {\n    // Race: session might be deleted by cleanup goroutine\n    if session.IsAdmin { // Panic or wrong data!\n        grantAdminAccess()\n    }\n}`,
+                                realWorldImpact: [
+                                    'Application crashes (runtime panic on concurrent map access)',
+                                    'Data corruption and inconsistent state',
+                                    'Authentication/authorization bypass via race conditions',
+                                    'Security check bypasses (TOCTOU vulnerabilities)',
+                                    'Difficult to reproduce bugs in production'
+                                ]
+                            }
+                        }));
+                        break; // Only report once per map variable
+                    }
+                }
+            }
+            // Check for slice access without synchronization
+            for (const sliceVar of sliceVars) {
+                const hasSliceWrite = new RegExp(`${sliceVar}\\s*=\\s*append\\(|${sliceVar}\\[\\d+\\]\\s*=`, 'i').test(trimmed);
+                if (hasSliceWrite) {
+                    // Look for mutex protection in surrounding ±10 lines
+                    let hasMutexProtection = false;
+                    const startLine = Math.max(0, index - 10);
+                    const endLine = Math.min(lines.length, index + 10);
+                    for (let i = startLine; i < endLine; i++) {
+                        const contextLine = lines[i].trim();
+                        if (/\.Lock\(\)|\.RLock\(\)|\.Unlock\(\)|\.RUnlock\(\)/i.test(contextLine)) {
+                            hasMutexProtection = true;
+                            break;
+                        }
+                    }
+                    // Check for goroutine context
+                    let hasGoroutineInContext = false;
+                    for (let i = startLine; i < endLine; i++) {
+                        if (/go\s+func|go\s+\w+\s*\(/i.test(lines[i])) {
+                            hasGoroutineInContext = true;
+                            break;
+                        }
+                    }
+                    if (!hasMutexProtection && hasGoroutineInContext) {
+                        vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                            category: 'go-race-condition',
+                            severity: 'high',
+                            confidence: 'medium',
+                            message: `Potential race condition: Slice '${sliceVar}' modified without synchronization in concurrent context`,
+                            line: lineNumber,
+                            suggestion: 'Use sync.Mutex or sync.RWMutex to protect concurrent slice modifications',
+                            owasp: 'A04:2025 - Insecure Design',
+                            cwe: 'CWE-362',
+                            pciDss: 'PCI DSS 6.5.6',
+                            remediation: {
+                                explanation: 'Concurrent slice modifications cause data races. While slices don\'t panic like maps, they can corrupt data. Use sync.Mutex to protect writes.',
+                                before: `// UNSAFE\nvar items []string\ngo func() {\n    items = append(items, "value") // Race!\n}()`,
+                                after: `// SAFE\nvar (\n    items []string\n    mu    sync.Mutex\n)\ngo func() {\n    mu.Lock()\n    items = append(items, "value")\n    mu.Unlock()\n}()`
+                            },
+                            attackVector: {
+                                description: 'Concurrent slice modifications cause data races that can corrupt memory, lose data, or cause inconsistent state.',
+                                exploitExample: `// Multiple goroutines appending:\nfor i := 0; i < 10; i++ {\n    go func(val int) {\n        results = append(results, val) // Race!\n    }(i)\n}\n// Result: Lost updates, corrupted data`,
+                                realWorldImpact: [
+                                    'Data loss (lost append operations)',
+                                    'Memory corruption',
+                                    'Inconsistent application state',
+                                    'Difficult to debug intermittent failures'
+                                ]
+                            }
+                        }));
+                        break; // Only report once per slice variable
+                    }
+                }
+            }
+            // Check for simple variable race conditions (int, string, bool, etc.)
+            // Detect patterns like: counter++, counter--, counter += value, counter = value
+            const simpleVarPattern = /(\w+)\s*(?:\+\+|--|[\+\-\*\/]=|=(?!=))/;
+            const match = trimmed.match(simpleVarPattern);
+            if (match) {
+                const varName = match[1];
+                // Skip if it's a struct field assignment (contains .)
+                // Skip if it's a declaration (var, const, :=)
+                if (!trimmed.includes('.') && !trimmed.includes('var ') && !trimmed.includes('const ') && !trimmed.includes(':=')) {
+                    // Check for goroutine context
+                    let hasGoroutineInContext = false;
+                    const startLine = Math.max(0, index - 10);
+                    const endLine = Math.min(lines.length, index + 10);
+                    for (let i = startLine; i < endLine; i++) {
+                        if (/go\s+func|go\s+\w+\s*\(/i.test(lines[i])) {
+                            hasGoroutineInContext = true;
+                            break;
+                        }
+                    }
+                    // Check for mutex protection
+                    let hasMutexProtection = false;
+                    for (let i = startLine; i < endLine; i++) {
+                        const contextLine = lines[i].trim();
+                        if (/\.Lock\(\)|\.RLock\(\)|\.Unlock\(\)|\.RUnlock\(\)|sync\.Mutex|sync\.RWMutex/i.test(contextLine)) {
+                            hasMutexProtection = true;
+                            break;
+                        }
+                    }
+                    if (hasGoroutineInContext && !hasMutexProtection) {
+                        vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                            category: 'go-race-condition',
+                            severity: 'high',
+                            confidence: 'medium',
+                            message: `Potential race condition: Variable '${varName}' accessed/modified without synchronization in concurrent context`,
+                            line: lineNumber,
+                            suggestion: 'Use sync.Mutex, sync.RWMutex, or atomic operations (sync/atomic package) to protect concurrent access',
+                            owasp: 'A04:2025 - Insecure Design',
+                            cwe: 'CWE-362',
+                            pciDss: 'PCI DSS 6.5.6',
+                            remediation: {
+                                explanation: 'Concurrent access to shared variables without synchronization causes data races. Use sync.Mutex for simple protection, or atomic operations for better performance on counters.',
+                                before: `// UNSAFE\nvar counter int\ngo func() {\n    for i := 0; i < 1000; i++ {\n        counter++ // Race condition!\n    }\n}()\ncounter++`,
+                                after: `// SAFE Option 1: Using Mutex\nvar (\n    counter int\n    mu      sync.Mutex\n)\ngo func() {\n    for i := 0; i < 1000; i++ {\n        mu.Lock()\n        counter++\n        mu.Unlock()\n    }\n}()\nmu.Lock()\ncounter++\nmu.Unlock()\n\n// SAFE Option 2: Using atomic (better for counters)\nvar counter int64\ngo func() {\n    for i := 0; i < 1000; i++ {\n        atomic.AddInt64(&counter, 1)\n    }\n}()\natomic.AddInt64(&counter, 1)`
+                            },
+                            attackVector: {
+                                description: 'Race conditions on shared variables can cause data corruption, lost updates, and unpredictable behavior. In security contexts, this can lead to authorization bypasses or state corruption.',
+                                exploitExample: `// Vulnerable:\nvar loginAttempts int\ngo func() {\n    loginAttempts = 0 // Reset counter\n}()\n// Race: Check might see old value\nif loginAttempts < 3 {\n    // Attacker can bypass rate limit via race condition\n    allowLogin()\n}`,
+                                realWorldImpact: [
+                                    'Data corruption and lost updates',
+                                    'Authentication/authorization bypasses',
+                                    'Rate limiting failures',
+                                    'Inconsistent application state',
+                                    'Security check bypasses (TOCTOU vulnerabilities)'
+                                ]
+                            }
+                        }));
+                    }
+                }
+            }
+        }
+        // =============================================================================
+        // Check #2: Goroutine Leaks (Unclosed Channels)
+        // =============================================================================
+        // CVSS 4.0 - MEDIUM
+        // Detects channels that are created but never closed, causing goroutine leaks
+        if (hasChannels) {
+            for (const chanVar of channelVars) {
+                // Check if this channel is ever closed in the file
+                const channelClosedPattern = new RegExp(`close\\s*\\(\\s*${chanVar}\\s*\\)`, 'i');
+                const isChannelClosed = channelClosedPattern.test(fileContent);
+                // Check if channel is used in a goroutine context
+                let channelUsedInGoroutine = false;
+                let goroutineStartLine = -1;
+                for (let i = 0; i < lines.length; i++) {
+                    const contextLine = lines[i].trim();
+                    // Track goroutine start
+                    if (/go\s+func|go\s+\w+\s*\(/i.test(contextLine)) {
+                        goroutineStartLine = i;
+                    }
+                    // Check if channel is used after goroutine start
+                    const chanUsagePattern = new RegExp(`${chanVar}\\s*<-|<-\\s*${chanVar}`, 'i');
+                    if (goroutineStartLine >= 0 && chanUsagePattern.test(contextLine)) {
+                        channelUsedInGoroutine = true;
+                        break;
+                    }
+                }
+                // Report if channel is never closed and used in goroutine
+                if (!isChannelClosed && channelUsedInGoroutine) {
+                    // Find the line where the channel is declared
+                    for (let i = 0; i < lines.length; i++) {
+                        const declLine = lines[i].trim();
+                        const declMatch = declLine.match(new RegExp(`${chanVar}\\s*(?::=|=)\\s*make\\s*\\(\\s*chan`, 'i'));
+                        if (declMatch) {
+                            vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                                category: 'go-goroutine-leak',
+                                severity: 'medium',
+                                confidence: 'medium',
+                                message: `Potential goroutine leak: Channel '${chanVar}' is never closed`,
+                                line: i + 1,
+                                suggestion: 'Close the channel with close() when done to prevent goroutine leaks',
+                                owasp: 'A04:2025 - Insecure Design',
+                                cwe: 'CWE-404',
+                                pciDss: 'PCI DSS 6.5.6',
+                                remediation: {
+                                    explanation: 'Goroutines waiting on channels that are never closed will leak memory and resources. Always close channels when done, typically using defer close() in the sender.',
+                                    before: `func processItems() {\n    ch := make(chan int)\n    go func() {\n        for item := range ch { // Blocks forever if ch not closed\n            process(item)\n        }\n    }()\n    ch <- 1\n}`,
+                                    after: `func processItems() {\n    ch := make(chan int)\n    go func() {\n        for item := range ch {\n            process(item)\n        }\n    }()\n    ch <- 1\n    close(ch) // Prevents goroutine leak\n}`
+                                },
+                                attackVector: {
+                                    description: 'Unclosed channels cause goroutine leaks. Each leaked goroutine consumes memory (~2KB stack). Over time, this leads to memory exhaustion and application crashes.',
+                                    exploitExample: `// Attacker triggers many requests:\nfor i := 0; i < 100000; i++ {\n    ch := make(chan Result)\n    go fetchData(ch)\n    result := <-ch\n    // Channel never closed - goroutine leaks!\n}\n// Result: 100K leaked goroutines = 200MB+ wasted memory`,
+                                    realWorldImpact: [
+                                        'Memory leaks and eventual OOM crashes',
+                                        'Resource exhaustion (file descriptors, connections)',
+                                        'Performance degradation over time',
+                                        'Denial of Service through resource exhaustion',
+                                        'Increased infrastructure costs'
+                                    ]
+                                }
+                            }));
+                            break; // Only report once per channel
+                        }
+                    }
+                }
+            }
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=concurrency-safety.js.map

package/dist/src/lib/analyzers/go/security-checks/concurrency-safety.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"concurrency-safety.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/security-checks/concurrency-safety.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAkBH,wDA2VC;AA1WD,sEAA6E;AAE7E;;;;;;;;;;;;GAYG;AACH,SAAgB,sBAAsB,CAAC,KAAe;IACpD,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,2DAA2D;IAC3D,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,aAAa,GAAG,+BAA+B,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACxE,MAAM,WAAW,GAAG,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAE7D,mCAAmC;IACnC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;IACtC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IAEpC,4CAA4C;IAC5C,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,yBAAyB;QACzB,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC3E,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QAED,mFAAmF;QACnF,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAC9F,IAAI,UAAU,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5C,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/B,CAAC;QAED,6BAA6B;QAC7B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC3E,IAAI,SAAS,EAAE,CAAC;YACd,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QAChC,CAAC;QAED,2BAA2B;QAC3B,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC1E,IAAI,UAAU,EAAE,CAAC;YACf,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,kDAAkD;IAClD,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,wCAAwC;QACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/D,OAAO;QACT,CAAC;QAED,gFAAgF;QAChF,8DAA8D;QAC9D,gFAAgF;QAChF,kBAAkB;QAClB,mEAAmE;QAEnE,IAAI,aAAa,EAAE,CAAC;YAClB,gDAAgD;YAChD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,MAAM,YAAY,GAAG,IAAI,MAAM,CAAC,GAAG,MAAM,WAAW,MAAM,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAEtF,IAAI,YAAY,EAAE,CAAC;oBACjB,qDAAqD;oBACrD,IAAI,kBAAkB,GAAG,KAAK,CAAC;oBAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;oBAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;oBAEnD,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;wBACzC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;wBACpC,IAAI,8DAA8D,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;4BACrF,kBAAkB,GAAG,IAAI,CAAC;4BAC1B,MAAM;wBACR,CAAC;oBACH,CAAC;oBAED,4CAA4C;oBAC5C,IAAI,qBAAqB,GAAG,KAAK,CAAC;oBAClC,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;wBACzC,IAAI,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;4BAC9C,qBAAqB,GAAG,IAAI,CAAC;4BAC7B,MAAM;wBACR,CAAC;oBACH,CAAC;oBAED,IAAI,CAAC,kBAAkB,IAAI,qBAAqB,EAAE,CAAC;wBACjD,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;4BAC5B,QAAQ,EAAE,mBAAmB;4BAC7B,QAAQ,EAAE,MAAM;4BAChB,UAAU,EAAE,QAAQ;4BACpB,OAAO,EAAE,kCAAkC,MAAM,0DAA0D;4BAC3G,IAAI,EAAE,UAAU;4BAChB,UAAU,EAAE,kFAAkF;4BAC9F,KAAK,EAAE,4BAA4B;4BACnC,GAAG,EAAE,SAAS;4BACd,MAAM,EAAE,eAAe;4BACvB,WAAW,EAAE;gCACX,WAAW,EACT,+JAA+J;gCACjK,MAAM,EAAE,wIAAwI;gCAChJ,KAAK,EAAE,+MAA+M;6BACvN;4BACD,YAAY,EAAE;gCACZ,WAAW,EACT,yNAAyN;gCAC3N,cAAc,EAAE,gVAAgV;gCAChW,eAAe,EAAE;oCACf,8DAA8D;oCAC9D,wCAAwC;oCACxC,yDAAyD;oCACzD,kDAAkD;oCAClD,2CAA2C;iCAC5C;6BACF;yBACF,CAAC,CACH,CAAC;wBACF,MAAM,CAAC,oCAAoC;oBAC7C,CAAC;gBACH,CAAC;YACH,CAAC;YAED,iDAAiD;YACjD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;gBACjC,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,GAAG,QAAQ,sBAAsB,QAAQ,iBAAiB,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAEhH,IAAI,aAAa,EAAE,CAAC;oBAClB,qDAAqD;oBACrD,IAAI,kBAAkB,GAAG,KAAK,CAAC;oBAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;oBAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;oBAEnD,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;wBACzC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;wBACpC,IAAI,oDAAoD,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;4BAC3E,kBAAkB,GAAG,IAAI,CAAC;4BAC1B,MAAM;wBACR,CAAC;oBACH,CAAC;oBAED,8BAA8B;oBAC9B,IAAI,qBAAqB,GAAG,KAAK,CAAC;oBAClC,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;wBACzC,IAAI,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;4BAC9C,qBAAqB,GAAG,IAAI,CAAC;4BAC7B,MAAM;wBACR,CAAC;oBACH,CAAC;oBAED,IAAI,CAAC,kBAAkB,IAAI,qBAAqB,EAAE,CAAC;wBACjD,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;4BAC5B,QAAQ,EAAE,mBAAmB;4BAC7B,QAAQ,EAAE,MAAM;4BAChB,UAAU,EAAE,QAAQ;4BACpB,OAAO,EAAE,oCAAoC,QAAQ,0DAA0D;4BAC/G,IAAI,EAAE,UAAU;4BAChB,UAAU,EAAE,0EAA0E;4BACtF,KAAK,EAAE,4BAA4B;4BACnC,GAAG,EAAE,SAAS;4BACd,MAAM,EAAE,eAAe;4BACvB,WAAW,EAAE;gCACX,WAAW,EACT,gJAAgJ;gCAClJ,MAAM,EAAE,8FAA8F;gCACtG,KAAK,EAAE,mJAAmJ;6BAC3J;4BACD,YAAY,EAAE;gCACZ,WAAW,EACT,kHAAkH;gCACpH,cAAc,EAAE,6LAA6L;gCAC7M,eAAe,EAAE;oCACf,oCAAoC;oCACpC,mBAAmB;oCACnB,gCAAgC;oCAChC,0CAA0C;iCAC3C;6BACF;yBACF,CAAC,CACH,CAAC;wBACF,MAAM,CAAC,sCAAsC;oBAC/C,CAAC;gBACH,CAAC;YACH,CAAC;YAED,sEAAsE;YACtE,gFAAgF;YAChF,MAAM,gBAAgB,GAAG,wCAAwC,CAAC;YAClE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;YAE9C,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEzB,sDAAsD;gBACtD,8CAA8C;gBAC9C,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;oBAClH,8BAA8B;oBAC9B,IAAI,qBAAqB,GAAG,KAAK,CAAC;oBAClC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;oBAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;oBAEnD,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;wBACzC,IAAI,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;4BAC9C,qBAAqB,GAAG,IAAI,CAAC;4BAC7B,MAAM;wBACR,CAAC;oBACH,CAAC;oBAED,6BAA6B;oBAC7B,IAAI,kBAAkB,GAAG,KAAK,CAAC;oBAC/B,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;wBACzC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;wBACpC,IAAI,8EAA8E,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;4BACrG,kBAAkB,GAAG,IAAI,CAAC;4BAC1B,MAAM;wBACR,CAAC;oBACH,CAAC;oBAED,IAAI,qBAAqB,IAAI,CAAC,kBAAkB,EAAE,CAAC;wBACjD,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;4BAC5B,QAAQ,EAAE,mBAAmB;4BAC7B,QAAQ,EAAE,MAAM;4BAChB,UAAU,EAAE,QAAQ;4BACpB,OAAO,EAAE,uCAAuC,OAAO,mEAAmE;4BAC1H,IAAI,EAAE,UAAU;4BAChB,UAAU,EAAE,uGAAuG;4BACnH,KAAK,EAAE,4BAA4B;4BACnC,GAAG,EAAE,SAAS;4BACd,MAAM,EAAE,eAAe;4BACvB,WAAW,EAAE;gCACX,WAAW,EACT,iLAAiL;gCACnL,MAAM,EAAE,uIAAuI;gCAC/I,KAAK,EAAE,mbAAmb;6BAC3b;4BACD,YAAY,EAAE;gCACZ,WAAW,EACT,6LAA6L;gCAC/L,cAAc,EAAE,4OAA4O;gCAC5P,eAAe,EAAE;oCACf,kCAAkC;oCAClC,uCAAuC;oCACvC,wBAAwB;oCACxB,gCAAgC;oCAChC,kDAAkD;iCACnD;6BACF;yBACF,CAAC,CACH,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,gDAAgD;QAChD,gFAAgF;QAChF,oBAAoB;QACpB,8EAA8E;QAE9E,IAAI,WAAW,EAAE,CAAC;YAChB,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;gBAClC,mDAAmD;gBACnD,MAAM,oBAAoB,GAAG,IAAI,MAAM,CAAC,mBAAmB,OAAO,SAAS,EAAE,GAAG,CAAC,CAAC;gBAClF,MAAM,eAAe,GAAG,oBAAoB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;gBAE/D,kDAAkD;gBAClD,IAAI,sBAAsB,GAAG,KAAK,CAAC;gBACnC,IAAI,kBAAkB,GAAG,CAAC,CAAC,CAAC;gBAE5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACtC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAEpC,wBAAwB;oBACxB,IAAI,0BAA0B,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;wBACjD,kBAAkB,GAAG,CAAC,CAAC;oBACzB,CAAC;oBAED,iDAAiD;oBACjD,MAAM,gBAAgB,GAAG,IAAI,MAAM,CAAC,GAAG,OAAO,gBAAgB,OAAO,EAAE,EAAE,GAAG,CAAC,CAAC;oBAC9E,IAAI,kBAAkB,IAAI,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;wBAClE,sBAAsB,GAAG,IAAI,CAAC;wBAC9B,MAAM;oBACR,CAAC;gBACH,CAAC;gBAED,0DAA0D;gBAC1D,IAAI,CAAC,eAAe,IAAI,sBAAsB,EAAE,CAAC;oBAC/C,8CAA8C;oBAC9C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;wBACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;wBACjC,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,GAAG,OAAO,qCAAqC,EAAE,GAAG,CAAC,CAAC,CAAC;wBAEnG,IAAI,SAAS,EAAE,CAAC;4BACd,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;gCAC5B,QAAQ,EAAE,mBAAmB;gCAC7B,QAAQ,EAAE,QAAQ;gCAClB,UAAU,EAAE,QAAQ;gCACpB,OAAO,EAAE,sCAAsC,OAAO,mBAAmB;gCACzE,IAAI,EAAE,CAAC,GAAG,CAAC;gCACX,UAAU,EAAE,qEAAqE;gCACjF,KAAK,EAAE,4BAA4B;gCACnC,GAAG,EAAE,SAAS;gCACd,MAAM,EAAE,eAAe;gCACvB,WAAW,EAAE;oCACX,WAAW,EACT,oKAAoK;oCACtK,MAAM,EAAE,oMAAoM;oCAC5M,KAAK,EAAE,2MAA2M;iCACnN;gCACD,YAAY,EAAE;oCACZ,WAAW,EACT,kKAAkK;oCACpK,cAAc,EAAE,wPAAwP;oCACxQ,eAAe,EAAE;wCACf,uCAAuC;wCACvC,qDAAqD;wCACrD,mCAAmC;wCACnC,+CAA+C;wCAC/C,gCAAgC;qCACjC;iCACF;6BACF,CAAC,CACH,CAAC;4BACF,MAAM,CAAC,+BAA+B;wBACxC,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/go/security-checks/credentials-crypto.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Go Credentials and Cryptography Security Checks
+ * OWASP A07:2025 - Authentication Failures, A02:2025 - Cryptographic Failures
+ *
+ * Detects hardcoded credentials, weak cryptographic practices, and insecure
+ * random number generation in Go code.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for credential exposure and cryptographic weaknesses
+ *
+ * Covers:
+ * - Check #1: Hardcoded API keys/tokens (CRITICAL)
+ * - Check #2: Hardcoded passwords/secrets (CRITICAL)
+ * - Check #3: Weak password hashing with MD5/SHA1 (HIGH)
+ * - Check #4: Weak random number generation with math/rand (HIGH)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkCredentialsAndCrypto(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=credentials-crypto.d.ts.map

package/dist/src/lib/analyzers/go/security-checks/credentials-crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials-crypto.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/security-checks/credentials-crypto.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;GAWG;AACH,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,qBAAqB,EAAE,CA+SlF"}

package/dist/src/lib/analyzers/go/security-checks/credentials-crypto.js

@@ -0,0 +1,267 @@
+"use strict";
+/**
+ * Go Credentials and Cryptography Security Checks
+ * OWASP A07:2025 - Authentication Failures, A02:2025 - Cryptographic Failures
+ *
+ * Detects hardcoded credentials, weak cryptographic practices, and insecure
+ * random number generation in Go code.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkCredentialsAndCrypto = checkCredentialsAndCrypto;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for credential exposure and cryptographic weaknesses
+ *
+ * Covers:
+ * - Check #1: Hardcoded API keys/tokens (CRITICAL)
+ * - Check #2: Hardcoded passwords/secrets (CRITICAL)
+ * - Check #3: Weak password hashing with MD5/SHA1 (HIGH)
+ * - Check #4: Weak random number generation with math/rand (HIGH)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkCredentialsAndCrypto(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    // First pass: Check if file imports crypto/rand or math/rand
+    const fileContent = lines.join('\n');
+    const hasCryptoRandImport = /"crypto\/rand"/.test(fileContent);
+    const hasMathRandImport = /"math\/rand"/.test(fileContent);
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // Track multi-line comments (/* ... */)
+        if (trimmed.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmed.includes('*/')) {
+            inMultiLineComment = false;
+            return;
+        }
+        // Skip comments and empty lines
+        if (!trimmed || inMultiLineComment || trimmed.startsWith('//')) {
+            return;
+        }
+        // =============================================================================
+        // Check #1 & #2: Hardcoded Credentials (API Keys, Passwords, Secrets)
+        // =============================================================================
+        // CVSS 9.1 - CRITICAL
+        // Detects patterns like:
+        // - const APIKey = "sk-1234567890abcdef"
+        // - apiKey := "sk-1234567890abcdef"
+        // - Password: "SuperSecret123!"
+        // - var jwtSecret = "my-secret-key"
+        // Pattern 1: Variable assignment (const/var/identifier :=)
+        // Match both complete strings and multi-line strings (closing quote optional)
+        const credentialAssignmentMatch = trimmed.match(/(?:const|var)?\s*(\w*(?:password|passwd|pwd|secret|apikey|api_key|privatekey|private_key|authtoken|auth_token|dbpassword|db_password|jwtsecret|jwt_secret|token|key)\w*)\s*(?::=|=)\s*"([^"]{8,})"?/i);
+        if (credentialAssignmentMatch &&
+            !trimmed.includes('os.Getenv') &&
+            !trimmed.includes('os.LookupEnv') &&
+            !trimmed.includes('viper.Get') &&
+            !trimmed.includes('config.') &&
+            !trimmed.includes('fmt.Print') &&
+            !trimmed.includes('log.') &&
+            !trimmed.includes('// Example:') &&
+            !trimmed.includes('// DON\'T')) {
+            const credentialValue = credentialAssignmentMatch[2];
+            // Validation: check if value looks like a real credential
+            const isRealCredential = credentialValue.length >= 8 &&
+                !credentialValue.match(/^(test|example|demo|sample|fake|your|placeholder|xxx|changeme)/i) &&
+                !credentialValue.match(/^(.)\1+$/); // Skip repeated characters (e.g., "aaaaaaaa")
+            if (isRealCredential) {
+                vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                    category: 'go-hardcoded-credentials',
+                    severity: 'critical',
+                    confidence: 'high',
+                    message: 'Hardcoded credentials exposed in source code',
+                    line: lineNumber,
+                    suggestion: 'Use environment variables with os.Getenv() or a secrets manager',
+                    owasp: 'A07:2025 - Identification and Authentication Failures',
+                    cwe: 'CWE-798',
+                    pciDss: 'PCI DSS 6.5.10',
+                    remediation: {
+                        explanation: 'Hardcoded credentials in source code are visible to anyone with repository access and persist in Git history forever. They cannot be rotated without code changes and redeployment.',
+                        before: `const APIKey = "sk-1234567890abcdef"`,
+                        after: `import "os"\nconst APIKey = os.Getenv("API_KEY") // Store in environment variables`
+                    },
+                    attackVector: {
+                        description: 'Hardcoded credentials allow attackers who gain repository access to authenticate as the application, bypassing all security controls.',
+                        exploitExample: `// Attacker finds in Git history:\nconst DBPassword = "SuperSecret123!"\n// Gains full database access`,
+                        realWorldImpact: [
+                            'Unauthorized access to APIs, databases, or cloud services',
+                            'Account takeover and privilege escalation',
+                            'Data breach and exfiltration',
+                            'Credentials cannot be rotated without code changes',
+                            'Exposed in version control history permanently'
+                        ]
+                    }
+                }));
+            }
+        }
+        // Pattern 2: Struct field assignment (Password: "...")
+        const structFieldMatch = trimmed.match(/(\w*(?:Password|Passwd|Pwd|Secret|APIKey|Api_key|PrivateKey|Private_key|AuthToken|Auth_token|DBPassword|Db_password|JWTSecret|Jwt_secret|Token|Key)\w*):\s*"([^"]{8,})"/i);
+        if (structFieldMatch &&
+            !trimmed.includes('os.Getenv') &&
+            !trimmed.includes('os.LookupEnv') &&
+            !trimmed.includes('viper.Get') &&
+            !trimmed.includes('config.') &&
+            !trimmed.includes('fmt.Print') &&
+            !trimmed.includes('log.')) {
+            const credentialValue = structFieldMatch[2];
+            const isRealCredential = credentialValue.length >= 8 &&
+                !credentialValue.match(/^(test|example|demo|sample|fake|your|placeholder|xxx|changeme)/i) &&
+                !credentialValue.match(/^(.)\1+$/);
+            if (isRealCredential) {
+                vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                    category: 'go-hardcoded-credentials',
+                    severity: 'critical',
+                    confidence: 'high',
+                    message: 'Hardcoded credentials in struct initialization',
+                    line: lineNumber,
+                    suggestion: 'Use environment variables with os.Getenv() or a secrets manager',
+                    owasp: 'A07:2025 - Identification and Authentication Failures',
+                    cwe: 'CWE-798',
+                    pciDss: 'PCI DSS 6.5.10',
+                    remediation: {
+                        explanation: 'Hardcoded credentials in struct literals are visible to anyone with repository access. Use environment variables or a secrets manager like HashiCorp Vault.',
+                        before: `config := Config{\n    DBPassword: "SuperSecret123!",\n}`,
+                        after: `import "os"\nconfig := Config{\n    DBPassword: os.Getenv("DB_PASSWORD"),\n}`
+                    },
+                    attackVector: {
+                        description: 'Hardcoded credentials in configuration structs allow attackers to extract sensitive data by reading source code or compiled binaries.',
+                        exploitExample: `// Found in code:\nDBConfig{Password: "prod_db_pass_2024"}\n// Attacker gains production database access`,
+                        realWorldImpact: [
+                            'Unauthorized database or API access',
+                            'Account takeover',
+                            'Data breach',
+                            'Credentials persist in Git history',
+                            'Cannot rotate credentials without code deployment'
+                        ]
+                    }
+                }));
+            }
+        }
+        // =============================================================================
+        // Check #3: Weak Password Hashing (MD5/SHA1)
+        // =============================================================================
+        // CVSS 8.5 - HIGH
+        // Detects MD5 or SHA1 being used for password hashing
+        const hasPasswordContext = /password|passwd|pwd|credential|auth/i.test(trimmed);
+        const hasWeakHash = /(md5|sha1)/i.test(trimmed);
+        const hasCryptoImport = /crypto\/(md5|sha1)/i.test(trimmed);
+        // Check for MD5/SHA1 usage in password context
+        // Only flag if: (password context AND weak hash) OR (crypto import AND password in file)
+        const fileHasPasswordContext = /password|passwd|pwd|credential|auth/i.test(fileContent);
+        if ((hasPasswordContext && hasWeakHash) || (hasCryptoImport && fileHasPasswordContext)) {
+            // Additional context check - look for actual hashing operations
+            const hasHashingOperation = /\.Sum\(|\.Write\(|New\(\)/.test(trimmed) || /md5|sha1/.test(trimmed.toLowerCase());
+            if (hasHashingOperation || (hasCryptoImport && fileHasPasswordContext)) {
+                vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                    category: 'go-weak-hashing',
+                    severity: 'high',
+                    confidence: 'high',
+                    message: 'Weak cryptographic hash (MD5/SHA1) used for password hashing',
+                    line: lineNumber,
+                    suggestion: 'Use bcrypt, scrypt, or Argon2 for password hashing',
+                    owasp: 'A02:2025 - Cryptographic Failures',
+                    cwe: 'CWE-327',
+                    pciDss: 'PCI DSS 6.5.3',
+                    remediation: {
+                        explanation: 'MD5 and SHA1 are fast hash functions designed for integrity checking, not password storage. They are vulnerable to brute-force and rainbow table attacks. Use password-specific algorithms like bcrypt, scrypt, or Argon2.',
+                        before: `import "crypto/md5"\nhash := md5.Sum([]byte(password))`,
+                        after: `import "golang.org/x/crypto/bcrypt"\nhash, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)`
+                    },
+                    attackVector: {
+                        description: 'MD5 and SHA1 hashes can be cracked in seconds using rainbow tables or GPU-accelerated brute force. Attackers who obtain the password database can easily recover plaintext passwords.',
+                        exploitExample: `// Weak hashing:\nmd5Hash := md5.Sum([]byte(password))\n// Attacker uses hashcat to crack in <1 second`,
+                        realWorldImpact: [
+                            'Password database compromises lead to plaintext password recovery',
+                            'Account takeover across multiple services (password reuse)',
+                            'Compliance violations (PCI DSS, GDPR)',
+                            'Regulatory fines and reputation damage'
+                        ]
+                    }
+                }));
+            }
+        }
+        // =============================================================================
+        // Check #4: Weak Random Number Generation (math/rand)
+        // =============================================================================
+        // CVSS 8.1 - HIGH
+        // Detects math/rand being used for security-critical operations
+        const hasSecurityContext = /token|secret|password|session|nonce|salt|csrf|api[_-]?key|auth/i.test(trimmed);
+        const hasRandOperation = /rand\.(Int|Intn|Read|Float|Shuffle|Perm)/i.test(trimmed) || /rand\.\w+\(/.test(trimmed);
+        // Only flag if:
+        // 1. Line has security context AND rand operation
+        // 2. File imports math/rand (not crypto/rand)
+        // 3. OR line explicitly mentions math/rand
+        const explicitMathRand = /math\/rand/.test(trimmed);
+        const isWeakRandom = hasRandOperation && (explicitMathRand || (hasMathRandImport && !hasCryptoRandImport));
+        if (hasSecurityContext && isWeakRandom) {
+            vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                category: 'go-weak-random',
+                severity: 'high',
+                confidence: 'high',
+                message: 'Weak random number generation (math/rand) for security-critical operation',
+                line: lineNumber,
+                suggestion: 'Use crypto/rand for security-critical random number generation',
+                owasp: 'A02:2025 - Cryptographic Failures',
+                cwe: 'CWE-338',
+                pciDss: 'PCI DSS 6.5.3',
+                remediation: {
+                    explanation: 'math/rand is a pseudo-random number generator (PRNG) designed for simulations and games, not cryptography. It is predictable and can be reversed. Use crypto/rand for tokens, secrets, and all security-critical randomness.',
+                    before: `import "math/rand"\ntoken := rand.Intn(1000000) // Predictable`,
+                    after: `import "crypto/rand"\nimport "encoding/base64"\nbytes := make([]byte, 32)\ncrypto/rand.Read(bytes)\ntoken := base64.URLEncoding.EncodeToString(bytes)`
+                },
+                attackVector: {
+                    description: 'math/rand uses a deterministic algorithm that can be predicted or reversed if the seed is known. Attackers can predict session tokens, API keys, CSRF tokens, and other secrets.',
+                    exploitExample: `// Weak token generation:\nsessionToken := rand.Intn(999999)\n// Attacker predicts token sequence and hijacks sessions`,
+                    realWorldImpact: [
+                        'Session hijacking and account takeover',
+                        'CSRF token prediction enabling CSRF attacks',
+                        'API key prediction enabling unauthorized access',
+                        'Cryptographic salt prediction weakening password hashes'
+                    ]
+                }
+            }));
+        }
+        // Special case: Detect math/rand import in files that handle security
+        // Only check actual import statements, not comments
+        const isMathRandImport = trimmed === 'import "math/rand"' || trimmed === '"math/rand"';
+        if (isMathRandImport && hasMathRandImport) {
+            // Check if the file likely deals with security (heuristic)
+            const hasSecurityKeywords = /password|token|secret|session|auth|crypto|security|key|csrf/.test(fileContent.toLowerCase());
+            if (hasSecurityKeywords) {
+                vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                    category: 'go-weak-random',
+                    severity: 'high',
+                    confidence: 'medium',
+                    message: 'math/rand imported in security-sensitive file - use crypto/rand instead',
+                    line: lineNumber,
+                    suggestion: 'Replace math/rand with crypto/rand for all security-critical operations',
+                    owasp: 'A02:2025 - Cryptographic Failures',
+                    cwe: 'CWE-338',
+                    pciDss: 'PCI DSS 6.5.3',
+                    remediation: {
+                        explanation: 'Files that handle authentication, tokens, or cryptography should never use math/rand. Use crypto/rand for all random number generation in security contexts.',
+                        before: `import "math/rand"`,
+                        after: `import "crypto/rand"`
+                    },
+                    attackVector: {
+                        description: 'Using math/rand in security-sensitive files indicates potential weak random number generation throughout the codebase.',
+                        exploitExample: `// In auth.go:\nimport "math/rand"\n// Any token/secret generation is now weak`,
+                        realWorldImpact: [
+                            'Predictable tokens and secrets',
+                            'Session hijacking',
+                            'Authentication bypass',
+                            'Cryptographic key prediction'
+                        ]
+                    }
+                }));
+            }
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=credentials-crypto.js.map